I am getting a perculiar behaviour from the
wu-ftpd-2.4.2b18-2.1.i386.rpm package downloaded from
updates.redhat.com. It is reproducible for me.
Scenario: I configured /etc/ftpaccess to allow only guest
accounts, ie. no real and anonymous access. I modified the
default ftpaccess file so that the first line reads:
class guestuser guest *
To verify it, I ftp to my machine using various combinations
of real, guest and anonymous accounts. Almost every time it
works - real and anonymous users rejected while guest
admitted if password is right.
I said almost because if I do it in the following sequence,
I can get anonymous access:
1. FTP to machine;
2. Login as a *valid* guest user ("adam" in this example)
Name(machine-name:someuser): adam <Enter>
331 Password required for adam.
3. Provide blank/dummy password.
Password: <Enter>
530 Login incorrect.
4. Just as one would expect for the wrong password. However,
immediately login as anonymous.
ftp> user anonymous <enter>
331 Guest login ok, send your complete ...<blah>
5. Give some random address.
Password: someone@out.there <Enter>
230 Guest login ok, access restriction apply.
Tada! I get anonymous access when I am not supposed to.
Seems like the first login as a valid guest user (but with
the wrong password) sets some flag which subsequently makes
ftpd forget the fact that anonymous access is not allowed.
I believe the wu-ftpd VR14 release have the same problem
too.